MANILA, Philippines – Kim Dotcom has backed up his promise to reward Mega bug hunters with mega money.

On February 9, Mega put up a post on their site announcing the results of the first week of their vulnerability reward program. The post explained both the criteria for the bounties as well as the bugs found and squashed during the first week of this bug bounty hunt.

Mega’s post outlines 6 types of vulnerabilities, based off the severity of issue found:

• Severity class VI: Fundamental and generally exploitable cryptographic design flaws
• Severity class V: Remote code execution on core MEGA servers (API/DB/root clusters) or major access control breaches
• Severity class IV: Cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)
• Severity class III: Generally exploitable remote code execution on client browsers (cross-site scripting)
• Severity class II: Cross-site scripting that can be exploited only after compromising the API server cluster or successfully mounting a man-in-the-middle attack (e.g. by issuing a fake SSL certificate + DNS/BGP manipulation)
• Severity class I: All lower-impact or purely theoretical scenarios

The post also mentions the result of the first week, with no class V or VI vulnerabilities found. A number of other vulnerabilities were found in classes I through IV and were, as the post puts it, “fixed within hours.”

Congratulations @fransrosen for XSS in #MEGA. Handsome EUR 1000 in Bug Bounty Program twitter.com/fransrosen/sta…

— The Hacker News™ (@TheHackersNews) February 10, 2013

Kim Dotcom also retweeted something from The Hacker News that lent credence to the allure of the vulnerability reward program: someone actually posting their reward email on Twitter. While it wasn’t the grand bug that would lead to a 10,000 Euro (US$14,000) payday, it did show a 1000 Euro (approximately US$1337, which stands for ‘Elite’ in computer leetspeak) reward for the recipient. – Rappler.com